Establishing the SSL protocol in a DataServer broker instance of the Unified Broker

The following set of SSL properties are used to establish SSL protocol communication using OpenEdge networking from a unified broker configuration using the ubroker.properties file:

Table 30. SSL properties used to establish SSL protocol communication

Property

Default Value

Description

sslEnable

0

Enables SSL-secure connections to a DataServer broker instance from remote DataServer clients. To enable SSL security for incoming client connections, set the property value to 1. While the sslEnable switch enables the infrastructure needed to make SSL connections, it does not initiate the start of an SSL connection dialogue.To start the dialog, the srvrStartupParam must be appended with the "-ssl" startup parameter.

keyAlias

default_server

Specifies the alias set for a private/public key. If this property is not set, the server certificate alias that is provided by OpenEdge is used.

keyAliasPasswd

20333c34252a2137

Specifies the encoded password set for the alias of the private/public-key to access the server Private Key / Digital Certificate key store entry. You can use the OpenEdge provided genpassword utility for encoding your passwords

keyStorePath

$DLC/keys

Specifies the key store location.

keyStorePasswd

NA

Specifies the password used for accessing the custom keystore. This password is expected to be encoded. You can use the OpenEdge provided genpassword utility for encoding your passwords.

Specifies server/agent startup parameters that each process uses when the broker starts it. The default startup parameters can be appended with the "-ssl" parameter in order to initiate server/agents in SSL secure connection mode as follows:-svub -S X -N TCP -U X -P X -hs 0 -s 40 –ssl. When agents are started with the -ssl switch, they can only accept SSL-enabled client connections. This property can be dynamically updated. Dynamic changes affect only new agents that are started after this value is changed.

sslCiphers

AES128-SHA256

The SSL algorithm list to use in arbitrating an SSL session with an SSL client. Also referred as server Ciphers

certStorePath

@{Startup\DLC}\certs\

The path to the trusted certificate store. The root certificate for the certificate authority that was used to sign the server certificate should be specified by this path. Client can mention Cert Store path on the command line i.e. _progres -b -p client.p -certstorepath $RDLQA/tests/SHA2/$alg/certs

When a DataServer instance of the Unified Broker is configured for SSL, the server/agent does not attempt to auto-correct the client's connection attempt when the client connects in non-SSL mode. Instead, the connection request is rejected by the server/agent and an exception is logged. Client users must explicitly initiate their server connection in SSL mode in order to connect to an SSL-enabled DataServer broker instance of the Unified Broker.

Note: This is in contrast to the ProBroker configuration where a DataServer client connection attempted in non-SSL mode receives a return message from the SSL-enabled ProBroker that auto-corrects the connection request and retries it in SSL mode.